Linux GUI Client

The Linux GUI Client is designed for Linux desktop environments where a user is present to authenticate with your identity provider interactively.

If you're looking for a headless Client suitable for server or container-based installs, see the Linux headless Client user guide instead.

Prerequisites

  • x86-64 or ARM64 CPU architecture
  • Ubuntu 22.04 or higher, or CentOS 9 or higher. Other distributions may work, but are not officially supported.
  • systemd-resolved. Ubuntu already uses this by default.

Installation (Ubuntu)

Download the .deb package from our changelog page, or from the direct link below:

Run these commands:

# Install the package
# The leading `./` is needed so `apt-get` can tell this is a local file
sudo apt-get install ./firezone-client-gui-linux_<VERSION>_<ARCH>.deb

# Add yourself to the `firezone-client` group so you can use the tunnel service
sudo usermod -aG firezone-client "$USER"

# Reboot to finish adding yourself to the group
reboot

To auto-start the Client when you log in, run firezone-client-gui debug set-autostart true

Installation (CentOS)

Step 1: Install system tray

GNOME Shell 40 in CentOS 9 does not have a system tray by default. Use these steps to install it. For other desktops like xfce4 or KDE, the system tray may already work properly.

  1. sudo dnf install epel-release (Needed to get GNOME extensions)
  2. sudo dnf install gnome-shell-extension-appindicator
  3. Log out and back in to restart GNOME
  4. gnome-extensions enable appindicatorsupport@rgcjonas.gmail.com

Step 2: Install Firezone

  1. Download the RPM: Download the latest Linux GUI .rpm from GitHub Releases
  2. sudo dnf install systemd-resolved (Installing it explicitly prevents it from being auto-removed if Firezone is removed)
  3. sudo dnf install ./firezone-client-gui-*.rpm
  4. sudo usermod -aG firezone-client $USER
  5. sudo systemctl enable firezone-client-ipc.service (See https://www.freedesktop.org/software/systemd/man/latest/systemd.preset.html, "It is not recommended to ship preset files within the respective software packages implementing the units". The Fedora family of distros also seem to have their own policy that installing a service should not auto-start or enable it.)
  6. Reboot to finish adding yourself to the group. Logging out and back in is not enough. This also starts the new services for us.
  7. sudo cp /etc/resolv.conf /etc/resolv.conf.before-firezone Back up your resolv.conf file. If anything goes wrong with your DNS, you can copy this back into place.
  8. sudo ln --force --symbolic /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf This puts systemd-resolved, and therefore Firezone, in control of the system's DNS. systemd-resolved does not do this automatically, since it's under /etc.
  9. Run firezone-client-gui from the app menu.

Usage

Signing in

  1. Start the GUI by running firezone-client-gui from your desktop environment's application menu or from an interactive shell.
  2. At the Welcome screen, click Sign in. This will open the Firezone sign-in page in your default web browser.
  3. Sign in using your account slug and identity provider
  4. On the first run, check Always allow to allow your web browser to sign in to Firezone, then click Open or Open link
  5. Unlock your desktop's keyring, or create one if needed. Most desktops, including GNOME, encrypt the keyring with your login password, so your Firezone token is encrypted at rest.
  6. When you see the Firezone connected notification, Firezone is running.

The Welcome screen only appears during your first sign-in. After that, you can click on the Firezone icon in the system tray to open the tray menu and sign in.

Accessing a Resource

When Firezone is signed in, web browsers and other programs will automatically use it to securely connect to Resources.

To copy-paste the address of a Resource:

  1. Click on the Firezone tray icon to open the menu.
  2. Open a Resource's submenu and click on its address to copy it.
  3. Paste the address into your browser's URL bar and press Enter.

Quitting

  1. Click on the Firezone tray icon to open the menu.
  2. Click Disconnect and Quit or Quit.

When Firezone is not running, you can't access private Resources, and the computer will use its normal DNS and Internet behavior.

If you were signed in, then you will still be signed in the next time you start Firezone.

Signing out

  1. Click on the Firezone tray icon to open the menu.
  2. Click Sign out.

When you're signed out, you can't access private Resources, and the computer will use its normal DNS and Internet behavior.

Upgrading

  1. Download the latest .deb or .rpm installer package from GitHub Releases.
  2. Quit firezone-client-gui if it's running.
  3. Install the new package: sudo apt-get install ./firezone-client-gui-linux_<VERSION>_<ARCH>.(deb|rpm)
  4. Restart firezone-client-gui.

Diagnostic logs

Firezone writes log files to disk. These logs stay on your computer and are not transmitted anywhere. If you find a bug, you can send us a .zip archive of your logs to help us fix the bug.

To export or clear your logs:

  1. Click on the Firezone tray icon.
  2. Click Settings.
  3. Click Diagnostic Logs.
  4. Click Export Logs or Clear Log Directory.

Uninstalling

  1. Remove the auto-start link: firezone-client-gui debug set-autostart false
  2. Quit firezone-client-gui if it's running.
  3. Remove the package: sudo apt-get remove firezone-client-gui

Troubleshooting

Check if systemd-resolved is enabled

systemctl status systemd-resolved
stat /etc/resolv.conf

systemctl should show that systemd-resolved is enabled and active (running).

stat should show that resolv.conf is a symlink to stub-resolv.conf: File: /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

If systemd-resolved is not running, or the symlink is not set up, Firezone may not be able to start, or may not be able to access DNS resources.

Check if Firezone is controlling DNS

resolvectl dns

Firezone Split DNS:

Global:
Link 2 (enp0s6): 10.0.2.3 fec0::3
Link 3 (tun-firezone): 100.100.111.1 fd00:2021:1111:8000:100:100:111:0

Normal system DNS:

Global:
Link 2 (enp0s6): 10.0.2.3 fec0::3

cat /etc/resolv.conf

Normal resolv.conf if systemd-resolved is installed, whether or not Firezone is running:

# This file is managed by man:systemd-resolved(8). Do not edit.
...

Firezone resolv.conf if you set FIREZONE_DNS_CONTROL=etc-resolv-conf:

# BEGIN Firezone DNS configuration
...

Revert Firezone DNS control

By default, the Firezone GUI Client for Linux controls DNS using systemd-resolved, which will automatically revert DNS to the system defaults when Firezone is disconnected.

If the network interface stays up and DNS does not revert, you can try restarting the tunnel service. Quit the Firezone GUI, then run:

sudo systemctl restart firezone-client-ipc

Viewing logs

The Firezone Client is split into 2 main processes: An IPC service which runs the tunnel, and a GUI which allows the user to control Firezone.

  • IPC service logs are stored at /var/log/dev.firezone.client/
  • GUI logs are stored at $HOME/.cache/dev.firezone.client/data/logs/, where $HOME is, e.g. /home/username/

Known issues

  • The update checker notification does not work for RPM installations #7646
  • If you update Firezone while the GUI is running, you must manually restart the GUI #5790

Need additional help?

See all support options or try asking on one of our community-powered support channels:

Or try searching the docs:
Found a problem with this page? Open an issue
Last updated: January 03, 2025